一些linux配置文件备份if (subject.user === "root") { return polkit.Re

/etc/polkit-1/rules.d/50-custom.rules

polkit.addRule(function(action, subject) {

    // 1. Root 用户直接放行
    if (subject.user === "root") {
        return polkit.Result.YES;
    }

    // 2. 彻底禁用电源操作 (关机/重启/睡眠/休眠)
    var powerActions = [
        "org.freedesktop.login1.power-off",
        "org.freedesktop.login1.power-off-multiple-sessions",
        "org.freedesktop.login1.reboot",
        "org.freedesktop.login1.reboot-multiple-sessions",
        "org.freedesktop.login1.suspend",
        "org.freedesktop.login1.suspend-multiple-sessions",
        "org.freedesktop.login1.hibernate",
        "org.freedesktop.login1.hibernate-multiple-sessions",
        "org.freedesktop.login1.hybrid-sleep",
        "org.freedesktop.login1.hybrid-sleep-multiple-sessions"
    ];

    if (powerActions.indexOf(action.id) !== -1) {
        return polkit.Result.NO;
    }

    // 3. 普通用户白名单 (仅纯读取 + 热点发起)
    var allowReadOnly = [
        "org.freedesktop.NetworkManager.wifi.scan",
        "org.freedesktop.NetworkManager.enable-disable-statistics",
        "org.freedesktop.resolve1.dump-cache",
        "org.freedesktop.resolve1.dump-server-state",
        "org.freedesktop.resolve1.dump-statistics",
        "org.fedoraproject.FirewallD1.info",
        "org.fedoraproject.FirewallD1.config.info",
        "org.fedoraproject.FirewallD1.direct.info",
        "org.fedoraproject.FirewallD1.policies.info",
        // 允许发起热点共享请求
        "org.freedesktop.NetworkManager.wifi.share.open",
        "org.freedesktop.NetworkManager.wifi.share.protected"
    ];

    if (allowReadOnly.indexOf(action.id) !== -1) {
        if (subject.local && subject.active) {
            return polkit.Result.YES;
        }
    }

    // 4. 严格限制：所有涉及网络控制、配置修改、硬件开关的操作均需管理员密码
    var networkControlKeywords = [
        "NetworkManager.network-control",
        "NetworkManager.settings.modify",
        "NetworkManager.enable-disable",
        "NetworkManager.reload",
        "NetworkManager.checkpoint-rollback",
        "resolve1.set-",
        "resolve1.revert",
        "network1.set-",
        "network1.revert",
        "network1.reconfigure",
        "network1.forcerenew",
        "FirewallD1.all",
        "FirewallD1.config",
        "FirewallD1.direct",
        "FirewallD1.policies",
        "urfkill.block",
        "ModemManager1.Control",
        "connman.modify",
        "connman.secret"
    ];

    var isRestrictedAction = false;
    for (var i = 0; i < networkControlKeywords.length; i++) {
        if (action.id.indexOf(networkControlKeywords[i]) !== -1) {
            isRestrictedAction = true;
            break;
        }
    }

    if (isRestrictedAction) {
        return polkit.Result.AUTH_ADMIN;
    }
});

/etc/systemd/system/remove-kvm-intel.service

[Unit]
Description=Remove kvm_intel kernel module at boot
After=local-fs.target sysinit.target
Before=multi-user.target

[Service]
Type=oneshot
ExecStart=/sbin/modprobe -r kvm_intel
RemainAfterExit=no
# 如果模块未加载，忽略错误
SuccessExitStatus=0 1

[Install]
WantedBy=multi-user.target